Heart Track Diary and Heart Track ABPM Analysis Mobile Applications Privacy Notice
Version Date: November 2020
Introduction
Please read this Privacy Notice (the “Privacy Notice”) for the Heart Track Diary app carefully before accepting it. Acceptance of this Privacy Notice will transmit patient personal information, including health-related information, into a Heart Track ABPM analysis system account which stores information in the cloud within the patient and/or healthcare provider’s local region, accessible and managed by healthcare providers. BY ACCEPTING THIS PRIVACY NOTICE AND USING THE HEART TRACK DIARY APP, HEALTHCARE PROVIDER AND PAITNET USERS AFFIRM THAT THEY ARE OF LEGAL AGE TO ACCEPT THIS PRIVACY NOTICE, AND THAT THEY ARE AGREEING EITHER ON THEIR OWN BEHALF, OR ON BEHALF OF ANOTHER INDIVIDUAL FOR WHOM THEY HAVE ACTUAL AUTHORITY TO LEGALLY ACCEPT TO THIS PRIVACY NOTICE.
A&D Medical Heart Track Diary is an app developed by mmHg and provided under the A&D Medical name. A&D Engineering, Inc. (dba A&D Medical) and mmHg are two separate companies. mmHg Inc. is the developer of Heart Track ABPM analysis software. mmHg developed the Heart Track Diary app (“App”) and licenses the marketing authorizations/registrations for it to A&D Medical.
mmHg Inc., of 5-134, 11350 83 Ave, Clinical Sciences Building, University of Alberta, Edmonton AB, T6G 2G3, Canada, is the controller of personal information transmitted through the Heart Track Diary app to your Heart Track ABPM analysis system account, managed by your health care provider. You may contact us at the address above or at ht-support@andhearttrack.com.
References to “patient,” in this Privacy Notice are references to the individual using the Heart Track Diary app. References to “healthcare providers” in this Privacy Notice are references to qualified healthcare provider individuals or teams using the Heart Track ABPM analysis system. References to “mmHg,” “us,” “our,” or “we” in this Privacy Notice are to mmHg Inc.
mmHg recognizes the importance of data protection and privacy and is committed to protecting ALL personal information, including health-related information.
This Privacy Notice explains how we handle personal information including health-related information that is provided to us through use of the Heart Track Diary app, and the Heart Track ABPM analysis system. This Privacy Notice does not apply to personal information collected by mmHg (including its subsidiaries and affiliates) or A&D Medical via other methods, such as web sites, customer call centers, or Heart Track ABPM analysis software; nor does this Privacy Notice apply to other third-party web sites.
For United States of America Users: Please note that any health information provided to us by healthcare providers, or shared by patients with their healthcare provider, through the Heart Track ABPM analysis system will be additionally governed by our Health Insurance Portability and Accountability Act (HIPAA) and Personal Information Protection and Electronic Documents Act (PIPEDA) Notice of Privacy Practices, available on the Heart Track Diary website located at andhearttrack.com/heart-track-diary/privacy-policy.html.
PATIENT USE OF THE HEART TRACK DIARY APP, AND PROVIDER USE OF THE HEART TRACK ABPM ANALYSIS SYSTEM, CONSTITUTES, AND IS CONDITIONED UPON, ACCEPTANCE OF THIS PRIVACY NOTICE. IN CERTAIN EXCEPTIONAL CIRCUMSTANCES, MMHG’s DATA PROCESSORS MAY NEED TO ACCESS PATIENT PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION. BY ACCEPTING, THE PATIENT AND PROVIDER EXPLICITLY ACKNOWLEDGE THAT THIS PRIVACY NOTICE WILL APPLY TO USE OF THE HEART TRACK DIARY APP AND USE OF THE HEART TRACK ABPM ANALYSIS SYSTEM AND TO THE PROCESSING AND TRANSFER OF PATIENT PERSONAL INFORMATION, INCLUDING HEALTH-RELATED INFORMATION, AS SET OUT IN THIS PRIVACY NOTICE.
The index and headings in this Privacy Notice are for patient and healthcare provider convenience only, and do not limit, define, or fully explain each section.
2. No medical advice.
3. What does this Privacy Notice apply to?
4. What information does this Privacy Notice govern?
5. How is personal information handled?
6. How long does mmHg store personal information?
7. Does mmHg share personal information with third parties?
8. How does mmHg secure personal information?
9. Where does mmHg store and transfer personal information?
10. Will mmHg send me marketing material?
11. How does mmHg protect the privacy of children?
12. How may I access and/or correct my personal information?
13. What rights do I have over my personal information?
14. How do I delete my Heart Track ABPM analysis system account?
15. How can I contact mmHg?
16. Changes to this Privacy Notice.
1. Background of the Heart Track Diary app and the Heart Track ABPM analysis system.
mmHg Inc. developed the Heart Track Diary app and Heart Track ABPM analysis system (“App”) and licences the marketing authorizations/registrations for it to A&D Medical.
Patients can use the Heart Track Diary app to collect daily activity data through manual data entry; this information is then paired with the blood pressure information collected by the Heart Track ABPM software, via their use of the A&D Medical TM-2441 ambulatory blood pressure monitor, issued and managed an healthcare provider team. The Heart Track ABPM analysis system is a secure, cloud-based ambulatory blood pressure analysis system that may be used by healthcare professionals, and A&D Medical, to aid in the review, analysis, and evaluation of ambulatory blood pressure data, and healthcare provider user-entered information, including basic clinical medical history, and current medications. The Heart Track Diary app and Heart Track ABPM analysis system enable mmHg to improve the quality, security, and effectiveness of medical devices and systems and allow mmHg to develop innovative and effective health management software for a variety of different chronic and communicable diseases in the interests of public health. Use of the Heart Track ABPM analysis system may require: compatible devices, internet access, data usage (charges may apply), certain software (fees may apply), and periodic updates, and the performance of the Heart Track ABPM analysis system may be affected by these requirements.
A&D Medical holds the marketing authorizations/registrations for the Heart Track ABPM analysis system, and provides the system to the health provider as a data processor.
2. No medical advice.
THE HEART TRACK DIARY APP AND THE HEART TRACK ABPM ANALYSIS SYSTEM ARE NOT INTENDED FOR THE DIAGNOSIS OF OR SCREENING FOR HYPERTENSION, OR ANY OTHER CHRONIC AND/OR COMMUNICABLE DISEASE. USERS SHOULD BE AWARE THAT THE HEART TRACK ABPM ANALYSIS SYSTEM IS AN INFORMATION MANAGEMENT SERVICE TO ENABLE THE ANALYSIS OF BLOOD PRESSURE AND RELATED PATIENT DAILY ACTIVITY DATA AND IS NOT INTENDED TO BE A SUBSTITUTE FOR THE ADVICE OF A HEALTH CARE PROFESSIONAL. INDIVIDUALS SHOULD ALWAYS CONSULT THEIR DOCTOR OR OTHER QUALIFIED HEALTH CARE PROFESSIONAL WITH ANY QUESTIONS THEY MAY HAVE REGARDING A MEDICAL CONDITION, INCLUDING ANY QUERIES OR CONCERNS ABOUT BLOOD PRESSURE MANAGEMENT.
MMHG IS NOT A PROVIDER OF MEDICAL CARE AND MMHG IS NOT RESPONSIBLE FOR NOTIFYING AN INDIVIDUAL’S DOCTOR OR OTHER HEALTHCARE PROFESSIONAL(S) OF ANY CHANGES IN PATIENT READINGS.
The Heart Track ABPM analysis system is designed to help individuals and their healthcare professionals better manage blood pressure, through information, analysis and communication. Qualified healthcare professional(s) are solely responsible for communicating blood pressure data and discussing and recommending testing and treatment options. mmHg does not recommend or endorse any specific tests, products, procedures, or opinions.
HEALTH CARE PROVIDERS AND PATIENTS’ DECISION TO TAKE ACTION BASED ON ANY INFORMATION TRANSMITTED TO OR STORED ON THE HEART TRACK ABPM ANALSYSIS SYSTEM OR ON ANY INFORMATION RECEIVED FROM MMHG EMPLOYEES, AGENTS, OR SUPPLIERS IS SOLELY AT THEIR OWN RISK.
3. What does this Privacy Notice apply to?
This Privacy Notice applies only to the personal information entered through the Heart Track Diary app and when an account and patient profile is created in the Heart Track ABPM analysis system, and to the personal information, including health-related information, that we may receive from qualified health care provider and patient users (as explained in this notice) and stored within the Heart Track ABPM analysis system. Data will be uploaded to the Heart Track ABPM analysis system when qualified healthcare providers and patients use the Heart Track Diary app to connect with the A&D Medical TM-2441 ambulatory blood pressure device, or if data is entered manually, and through any customer services we provide that are connected to use of the Heart Track ABPM analysis system. Qualified healthcare provider users can access the Heart Track ABPM analysis system via a website domain; use of any Heart Track ABPM system website will be subject to this privacy notice. This Privacy Notice does not apply to any other personal information provided by the patient or healthcare provider or collected from the patient, or healthcare provider, by mmHg.
4. What information does this Privacy Notice govern?
This Privacy Notice covers the following information:
- The Heart Track ABPM analysis system patient and clinician account profiles, completed by qualified healthcare providers and which includes the name, date of birth, and email address of adult users for use by another adult (where they have authority to do so), and in the case of pediatric use, in addition to the email address of the parent/guardian, the child’s name and date of birth.
- Health-related information sent from a paired authorized A&D ambulatory blood pressure device (i.e. TM-2441) and/or manually entered patient medical data (by qualified healthcare providers) such as clinical medical history and medications and/or manually entered patient daily activity data, such as eating and exercise times.
- Information we receive about qualified healthcare provider tablets and patient mobile devices, including information about device operating systems and other troubleshooting and analytical data to help us provide the Heart Track Diary app and Heart Track ABPM analysis system to qualified healthcare providers and patients.
The Heart Track Diary app transmits personal information and data directly to the Heart Track ABPM analysis system pursuant to this Privacy Notice. Qualified healthcare providers may manage how the Heart Track ABPM analysis system interacts with the A&D Medical ambulatory blood pressure monitor model TM-2441.
5. How is personal information handled?
When a patient and/or clinical user is registered for a Heart Track ABPM analysis system account, registration data (name, date of birth, email address, mailing address) are kept separate from the blood pressure data uploaded from the A&D ambulatory blood pressure monitor. mmHg uses technical and administrative measures to ensure data separation and will never combine these data.
Personal information
mmHg uses patient user personal information, including health-related information and data derived from an A&D Medical ambulatory blood pressure device, clinician facing tablet/mobile device, and patient facing mobile device in the following ways:
- to provide qualified healthcare providers with the ability to create and manage Heart Track ABPM analysis system clinician and patient accounts, to support blood pressure data analysis to allow the storage, back-up and retrieval of patient ambulatory blood pressure measurement values, and to ensure continuous access to information by qualified healthcare providers.
- to help mmHg fix any issues with the Heart Track Diary app or the Heart Track ABPM analysis system, including where mmHg will respond to questions or respond to request for support, troubleshooting, or other any performance issues.
- if the user is a parent or guardian, to enable their child’s qualified healthcare providers to create an Heart Track ABPM system account to support their child’s blood pressure assessment, and to allow them to manage their use of the Heart Track Diary app.
- For United States of America Users only: to provide improved treatment guidance for qualified healthcare professionals and patients using the Heart Track Diary app, as well as for research and A&D Medical’s health care operations activities, as applicable as described in this Privacy Notice and our HIPAA Notice of Privacy Practices.
Data Analysis
mmHg uses de-identified, pseudonymized, aggregated, and/or anonymized information for limited purposes. mmHg performs tasks as a data processor with this data analytics process, in particular, the processes related to de-identifying, pseudonymizing and/or anonymized information. This is information which mmHg securely holds and will not be used to identify qualified healthcare providers or patient users individually by name or email address. The purposes for which mmHg will use this information are:
- to improve the quality, security and effectiveness of medical devices and systems and to allow for the development of innovative and effective treatment for and management of blood pressure and other chronic and communicable diseases in the interests of public health.
- to create, access, retain, use, and disclose to our affiliated companies and to third-party researchers, healthcare entities or professionals or public health authorities for the purposes of scientific research, statistical purposes and analysis.
- to research, develop and test healthcare care systems and management.
- to validate upgrades, and to keep the Heart Track ABPM analysis system safe and secure.
Healthcare professional access
For United States of America Users: When qualified healthcare providers create or access patient accounts and data of the Heart Track ABPM analysis system, information will be processed consistent with our HIPAA Notice of Privacy Practices, available on the Heart Track ABPM analysis system website located at andhearttrack.com/heart-track-diary/privacy-policy.html. Any personal information, including health-related information, that patients provide to us directly and that are not shared with their qualified healthcare provider is governed by this Privacy Notice and is not governed by our HIPAA Notice of Privacy Practices or otherwise protected by HIPAA.
6. How long does mmHg store personal information?
mmHg will continue to store personal information while qualified healthcare providers and patients have an active Heart Track ABPM analysis system account (or patient profile created by qualified healthcare providers) and in accordance with applicable data retention requirements. The section entitled “How do I delete my Heart Track ABPM analysis system account” below explains how patients and qualified healthcare providers can delete their account or profile, and what happens to personal information once the account has been deleted.
7. Does mmHg share personal information with third parties?
We share personal information with our third-party suppliers solely to provide, maintain, host, and support the Heart Track ABPM analysis system. mmHg, which holds the marketing authorizations/registrations for the Heart Track ABPM analysis system, will process personal information, including health-related information. mmHg acts as a data processor with the data analytics process, in particular, the processes related to de-identifying, pseudonymizing and/or anonymized information. Where we provide personal information to third-party suppliers to assist us with the provision of Heart Track ABPM analysis system accounts, they are required to keep patient personal information confidential and secure and to use the collected personal information to the minimum extent necessary.
mmHg may use third-party service providers to provide all users with the Heart Track Diary app and Heart Track ABPM analysis system. For example, we may use third-party service providers to report when the Heart Track Diary and Heart Track ABPM analysis apps crashes or experiences certain errors so that we can support and improve both of the apps, and when these crashes or errors occur, both apps will send certain information about the incident to such third parties. The information sent to such third parties will not involve the use of personal information.
Where healthcare provider and patient users opt-in to receive direct marketing communications from us, we may share healthcare provider and patient personal information with local affiliated mmHg (e.g. A&D Medical) companies with whom we are jointly marketing a product or service or jointly conducting a program or activity. This will only occur where consent to sharing has been provided, for example, where a user will opt in to receive marketing communications from mmHg (or its affiliates) as described in this Privacy Notice. We also may share healthcare provider and patient personal information with third parties where healthcare provider and patient users have expressly asked us to do so. We will not sell or license personal information to third parties except in connection with the sale, merger, or transfer of a product line or division, so that the buyer can continue to provide healthcare provider and patient users with information and services. For the avoidance of doubt, we will never sell personal information for commercial purposes to third parties and we may only share personal information with third parties where consent has been provided or where permitted by applicable law.
We may share and the healthcare provider and patient hereby consent to us sharing such de-identified, pseudonymized, aggregated, and/or anonymized information with affiliated mmHg companies and with other third parties for the purposes relating to “Data Analysis” set out above. This is information which mmHg securely holds and will not be used to identify individuals by name or email address.
We reserve the right to disclose healthcare provider and patient users’ personal information to respond to authorized information requests from government authorities, to address national security situations, or when otherwise required by law. Furthermore, where permitted or required by law, we may also disclose the information we collect from users where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of this Privacy Notice, or as evidence in litigation in which we are involved. Personal information may be subject to foreign laws and may be accessible by foreign governments, courts, law enforcement, and regulatory agencies.
8. How does mmHg secure personal information?
We have implemented administrative, technical, and physical safeguards to protect personal information, including health-related information, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including through the use of cryptographic technologies. mmHg restricts access to personal information by its employees on a need to know basis. Please keep in mind that no internet or Wi-Fi transmission is 100% secure, so please exercise caution when uploading personal information, especially health-related information, to the Heart Track Diary app and the Heart Track ABPM analysis system accounts.
Healthcare provider and patient users are responsible for protecting against unauthorized access to devices that house Heart Track software. We recommend securing access to mobile devices by locking mobile devices, choosing a robust password that nobody else knows or can easily guess, and keeping account information and passwords private. mmHg is not responsible for any lost, stolen, or compromised passwords or for any activity on Heart Track ABPM analysis system accounts from unauthorized users where caused by healthcare provider and patient users. If it is though that an Heart Track ABPM analysis system account has been compromised, users should contact us as soon as they are able at ht-support@andhearttrack.com.
9. Where does mmHg store and transfer personal information?
The personal information transmitted to the Heart Track ABPM analysis system will be stored in the cloud on secure regional servers.
- If the healthcare provider practices in Canada: personal information will be hosted on servers in Canada.
- If the healthcare provider practices in United States: personal information will be hosted on servers in the United States of America.
10. Will mmHg send me marketing material?
mmHg (or its affiliates) may send advertising and marketing-related information about blood pressure management or their other products and services if (where required by law) users opted-in to receive such communications when Heart Track ABPM analysis accounts are set up. We may invite healthcare provider and patient users to participate in surveys about our products, provide healthcare providers with news and newsletters, or to notify healthcare providers about special offers and promotions. Healthcare providers or patient users may opt out from receiving marketing-related communications by either clicking on the unsubscribe link at the bottom of marketing-related emails that are received, by changing Heart Track ABPM analysis system preferences, or by contacting us at ht-support@andhearttrack.com. We will process opt-out requests without undue delay.
Neither mmHg nor its affiliates or licensors will send advertising or marketing-related information to children.
mmHg will not sell personal information to third parties for direct marketing.
Where users opt out of receiving marketing-related information about blood pressure management, we may continue to send users non-marketing related information. This information may be in relation to necessary system and service updates or issues including product safety.
For United States of America Users: Please be aware that when patient users share their personal information, including health-related information, with their healthcare providers through the Heart Track Diary app and patients opt-in to receive marketing communications from mmHg or A&D Medical, patients are authorizing mmHg and A&D Medical to use and disclose personal information so that mmHg and A&D Medical may send to patients advertising and marketing-related information about blood pressure management or their other products and services. Patients must understand that once information is disclosed pursuant to this authorization that it may be re-disclosed and no longer protected by HIPAA. Patients must understand that neither mmHg nor healthcare providers may condition treatment, payment, insurance enrollment, eligibility for benefits on the patients’ choice to opt-in to receive marketing communications from mmHg and/or A&D Medical. This authorization will remain in effect for so long as the healthcare provider has access to the patient information through the Heart Track ABPM analysis system and the patient has selected (where applicable) opt-in to receive marketing communications. Healthcare providers and patients understand that they may revoke this authorization at any time by opting out of receiving marketing communications by either clicking on the unsubscribe link at the bottom of marketing-related emails sent to patients or by contacting us at ht-support@andhearttrack.com, but that this revocation will only apply to the extent that we have not already taken action based on it.
11. How does mmHg protect the privacy of children?
Each qualified healthcare provider user is required to enter patient date of birth. The parent/guardian must consent to the child’s use of the Heart Track Diary app.
At any time, a parent/guardian may stop the collection of a child’s personal information, including health-related information, by requesting that the qualified healthcare provider delete the Heart Track ABPM analysis system account used by the child or by contacting us at ht-support@andhearttrack.com. This action will delete the account being used by the child but we retain aggregated and de-identified information and may need to retain certain personal information as required by law.
12. How may I access and/or correct my personal information?
Healthcare providers may correct patient profile information through the Heart Track ABPM analysis system patient profile settings within the Heart Track ABPM analysis app or on the Heart Track ABPM system healthcare provider web portal. We are not able to correct/amend health device readings stored in the Heart Track Diary blood pressure management system account but will assist healthcare providers and patients with deleting account information if requested.
13. What rights do I have over my personal information?
Depending on the patients’ place of residence, they may have the right to: (a) access the personal information we hold about them; (b) request we correct any inaccurate personal information we hold about them; (c) delete any personal information we hold about them; (d) restrict the processing of personal information we hold about them; (e) object to the processing of personal information we hold about them; and/or (f) receive any personal information they have provided to us on the basis of their consent, in a structured and commonly used machine-readable format.
Children may also have the right to access the personal information held about them through the Heart Track Diary blood pressure management system. Where we receive a request for access for a child’s personal information from the child’s parent/guardian, we may respond directly to the child’s parent/guardian. We will always seek to verify the identity of the person seeking access to a child’s information, whether it is from the child him/herself or from a parent or guardian.
To request the exercise of these rights, please contact us at ht-support@andhearttrack.com.
For United States of America Users: Please note that patient rights with respect to any health information provided to us by their healthcare provider, or shared by them with their healthcare provider, through the Heart Track Diary app or Heart Track ABPM analysis system will be governed by our HIPAA Notice of Privacy Practices, available at andhearttrack.com/heart-track-diary/privacy-policy.html.
14. How do I delete my Heart Track ABPM analysis system account?
If a patient would like their Heart Track ABPM system account to be deleted they should please contact us at ht-support@andhearttrack.com. Please be aware that if a patient account is deleted, we will retain aggregated and de-identified information and may need to retain certain personal information as required by law.
Once a patient Heart Track ABPM analysis system account and any associated personal information has been deleted, healthcare providers will no longer have access to the Heart Track ABPM analysis system data and deletion of patient accounts is irreversible. The healthcare provider may not therefore be able to reactivate a patient account or retrieve any personal information, including health related information.
mmHg reserves the right to delete inactive Heart Track ABPM analysis system accounts after ten (10) years. We attempt to notify healthcare providers in advance so that they may have an opportunity to ensure their accounts and patient profiles stays current and available for use.
15. How can I contact mmHg Medical?
If patients or health care providers have questions, comments, or complaints about our privacy practices, please contact us by clicking on the “Contact Us” link on one of our web sites, or emailing us at ht-support@andhearttrack.com. Alternatively, patients or healthcare providers may send a letter to the following address:
Attn: Privacy Officer
MmHg Inc.
5-134 Clinical Sciences Building, 11350 83 Ave
University of Alberta
Edmonton, AB T6G 2G3
Canada
In all communications to us by healthcare providers, please include the email address used to create the Heart Track ABPM analysis system account and a detailed explanation of the request.
16. Changes to this Privacy Notice.
If we change our privacy practices, an updated version of this Privacy Notice will reflect those changes. Users will be alerted to updates to this Privacy Notice by email or via the Heart Track apps. Users will be notified if there is a new version of this Privacy Notice and will be prompted to read and accept it so that they may continue to access and use the Heart Track Diary app and Heart Track ABPM analysis system app and web portal. Without prejudice to user rights under applicable law, we reserve the right to update and amend this Privacy Notice without prior notice to reflect technological advancements, legal and regulatory changes and good business practices to the extent that it does not change the privacy practices as set out in this Privacy Notice.
If users do not agree to the changes to the Privacy Notice, they should delete the Heart Track Diary app or email us directly to delete account and profile information at ht-support@andhearttrack.com.
Doc ID: V1.2Heart Track Diary Mobile Application Privacy Policy